INCIDENT RESPONSE | ACTIVE DIRECTORY
14 min read

Active Directory Compromise: The Complete Recovery Playbook

Sources:Microsoft AD Forest Recovery Guide|CISA MS-ISAC AD Security Best Practices|Mandiant: Recovering Active Directory After a Compromise
90%
of ransomware attacks include Active Directory compromise as part of their kill chain — Semperis 2025 research
10 years
maximum validity period of a forged Kerberos golden ticket using the default KRBTGT key — valid until the key is rotated
2 resets
KRBTGT must be reset twice, 10 hours apart, to invalidate all outstanding golden tickets — a single reset is insufficient
48-72 hours
minimum realistic timeline for a clean AD recovery in a mid-size environment after a confirmed domain admin compromise

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

Active Directory compromise is the central objective in most ransomware attacks and advanced persistent threat intrusions. An attacker with domain admin privileges can extract the NTDS.dit database, dump all domain password hashes, create persistent backdoor accounts, establish malicious group policy objects, and forge Kerberos tickets that remain valid for years.

Recovery from AD compromise requires more than resetting compromised account passwords. This playbook covers the complete sequence: confirming the scope of compromise, executing the KRBTGT double-reset procedure that invalidates golden tickets, auditing persistent backdoors, validating AD trust relationships, and the decision framework for forest rebuild versus in-place recovery.

Confirm the scope of compromise before beginning recovery

Recovery steps vary significantly depending on what the attacker achieved. Beginning recovery actions before scoping the compromise leads to incomplete remediation.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

The KRBTGT double-reset procedure

The KRBTGT account password must be reset twice, with a minimum of 10 hours between resets, to invalidate all outstanding golden tickets. A single reset is insufficient because the first reset changes the current password but the previous password is still retained for Kerberos compatibility — golden tickets signed with the old key remain valid until the second reset removes the previous password value.

The 10-hour wait is critical. The default Kerberos ticket lifetime is 10 hours. After the first KRBTGT reset, tickets signed with the old key that are currently in use throughout the domain will expire naturally within 10 hours. After 10 hours, all legitimate tickets have been reissued against the new key. The second reset then removes the retained old key, invalidating any golden tickets that were forged before the first reset.

Failing to complete the second reset leaves forged golden tickets valid for up to 10 years.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Remove attacker persistence

After invalidating golden tickets, remove all persistence mechanisms the attacker may have established. The KRBTGT reset invalidates existing forged tickets but does not remove backdoor accounts, malicious GPOs, or other persistence.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Forest rebuild decision framework

In-place recovery (the procedure above) is appropriate when the scope of compromise is well-understood and contained. Forest rebuild from scratch is necessary when confidence in the integrity of the AD environment cannot be restored.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

The bottom line

Active Directory compromise recovery has a defined technical sequence, but executing it correctly requires confidence in the scope of what the attacker achieved and the discipline to complete all steps — including the second KRBTGT reset that many incomplete recovery efforts skip. An incomplete AD recovery that leaves one backdoor account, one malicious GPO, or a golden ticket still in circulation results in re-compromise from the same attacker, often within days of the initial recovery. The KRBTGT double-reset and a complete privileged account audit are not optional steps — they are the core of the recovery.

Frequently asked questions

What is a Kerberos golden ticket and why is it so dangerous?

A Kerberos golden ticket is a forged Ticket Granting Ticket (TGT) signed with the KRBTGT account's password hash. Because it is signed with the domain's master Kerberos key, all Kerberos infrastructure in the domain treats it as legitimate. An attacker with the KRBTGT hash can create a ticket for any user, with any group membership, valid for any duration (up to 10 years by default). It provides persistent, unrestricted access to all Kerberos-authenticated services in the domain and survives account password resets — because the ticket is authenticated against the KRBTGT key, not the impersonated user's key.

Why does KRBTGT need to be reset twice?

Active Directory retains the KRBTGT account's previous password for Kerberos compatibility — to allow in-flight tickets signed with the previous key to complete their lifetime without causing authentication errors domain-wide. After the first reset, golden tickets signed with the old key remain valid against the retained previous password. After the 10-hour Kerberos ticket lifetime expires, legitimate tickets have been reissued against the new key. The second reset removes the retained previous password, eliminating the last key the golden ticket was valid against.

How long does Active Directory recovery take?

In-place recovery of a confirmed AD compromise — including KRBTGT double reset with the 10-hour wait, privileged account audit and cleanup, persistence removal, and validation — takes 24 to 48 hours minimum in a mid-size environment. Forest rebuild takes 48 to 96 hours or more depending on environment size and complexity. Both timelines assume AD expertise is available. Engaging external IR specialists typically reduces recovery time and increases confidence in completeness.

Sources & references

  1. Microsoft AD Forest Recovery Guide
  2. CISA MS-ISAC AD Security Best Practices
  3. Mandiant: Recovering Active Directory After a Compromise

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.